Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
01/04/2025, 18:00
General
-
Target
60.msi
-
Size
4.7MB
-
MD5
ecdd7739e76adee32b9cd61f4a132963
-
SHA1
14e5ec6b9c6bdaab641009284e2f41067462bf21
-
SHA256
59baa105734ae018e88a3abeee22657b083d2aaddf1c73e5564bf21382e5fa16
-
SHA512
91526118167315f2258c1d4e7f2b1d68f8cd7865b8bedafdb1864a4d2084ba8312124aefacc9402a38dd47474e9aabe7ce988c18bfdef9ced275920bf376c229
-
SSDEEP
98304:5Yqd1ASubUZwPEDYPo6sAPGJ60TGEtof1SvfRL8YwlYfRa6:LHr0PdsAPGJVTGEOdSvfSUa
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 8 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 12 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\60.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F20DA58A13F292BBB018A7EC6F43B7A2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Kart\GmRemote.exe"C:\Users\Admin\AppData\Local\Kart\GmRemote.exe"2⤵
- Checks for any installed AV software in registry
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD537d3314ff5410607e0bbe660fecaec5a
SHA1c008b243a820555dd8b1619754bf739d64eeddcf
SHA256dace8143008fb59826a74d497fe25b722b0b94263dfc47866cac77292a237679
SHA512972dca0923afa58f47bc5f181e3753ac195520c405ee947be52d86408bf067d5ff07e4347db828c40b0d0055c301382eb42a78f448b3c110f94fd44cf4c26cf9
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
2.8MB
MD59f2b0e4d218442927581577f52997f8d
SHA1ab74e08d3a230260a545036c4ab423db1e4746e8
SHA25647d20fa8d26cd6659bdcd45bce3a2666706d1e0b52b69ee023b58ac7e61bd936
SHA5124f7db2f85793056884876be3506710833c2bed20b0fb0d13db0e347f28b4935fa20b1d5968b63f9877ea473aed6c8bf28dc91af0cacaeee43d63f31a87e44e8b
-
Filesize
2.7MB
MD5c5dfb872054df521385411e555a6b01d
SHA199879cc065990aa14af270c6018a4c077999d791
SHA2568be4fc53030bc987e02b4206d245ac137cb1c00c3f7700f86cac440ab80344a6
SHA5123ce9bdf93976c8169790ce2f9221acfaf749c9c73a05ec567880b2b20102d482aa8c20586c83f92a02c7ce8ac280bf533034d1a25d0dfd0e594202a531f25a38
-
Filesize
2.7MB
MD5da90920c3d50ae4cc158a498df0b86dd
SHA1d085532220f21835241ae0e26839096d8e07ea85
SHA256181611e250a9490c89204b0836682c6121d82fb1b9dc27a61e9a548dd01025b7
SHA512e77f32d21e9b9bfef92a527e9182bbd59c3a7d257a196aea6d9f820f001254e781607988cba4e489dbf957f08e340b711b806be9b6e9cec74c4e8b3c0811ae30
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
4.7MB
MD5ecdd7739e76adee32b9cd61f4a132963
SHA114e5ec6b9c6bdaab641009284e2f41067462bf21
SHA25659baa105734ae018e88a3abeee22657b083d2aaddf1c73e5564bf21382e5fa16
SHA51291526118167315f2258c1d4e7f2b1d68f8cd7865b8bedafdb1864a4d2084ba8312124aefacc9402a38dd47474e9aabe7ce988c18bfdef9ced275920bf376c229
-
Filesize
24.1MB
MD55dfe70acab7ebd48bedf282e00c8a7ff
SHA1fb32a9a196297794df12022ae801b80055c62320
SHA256c4ab455056d5985262c65adfb7a1e96da3105b8363bdf15d04a2d83bafcb9cbf
SHA512912f812659b624f3d37d5ec643ea2abe3e4d936533ebf345e13211981f94652b5740cd6a440bbee224b6a26ff53652ead35fb26505d35fed6a51aa63fcf702b0
-
Filesize
6KB
MD56dc1c6ceb08e604b9e0fb57c52d90c51
SHA1acbe12e48ed29282f30b77bb0fd5372b62291978
SHA256219292e556ca71e4cb7a326fa6fe1f82d5fa3c69d03e3e062e9bcbcc982b38b9
SHA512028b666a2d226551c3beb6404e03f587298c1ecd5ac6de717d3df41b8348d1a520b7700515b8e708f459f328b0f1441f2f7bbdd9984cc427bfadcf6830fd4499
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
336KB
-
Filesize
1.8MB
-
Filesize
304KB
-
Filesize
1.6MB
-
Filesize
1.4MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
792KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
2.6MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
800KB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
4.5MB
-
Filesize
848KB
-
Filesize
320KB
-
Filesize
1.8MB